michael/Wiki
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity
Files
master
Wiki/OpenSSL.md
Michael Schlapa 6110e3d50c Add SHA256
2024-03-15 13:13:50 +01:00

2.6 KiB
Raw Permalink Blame History

OpenSSL

For my SSL keys and certificates I always use:

  • .crt for the certificates,
  • .key for the keys and
  • .csr for the CSRs

While technically not correct, I think this is more verbose.

General commands

Generate a new private key

The -pkeyopt rsa_keygen_bits:2048 determines the key length. The default value is 1024. -outform PEM controls the form of the key. Values are PEM and DER. If you want to encrypt the key add the following parameters: -aes-128-cbc -pass pass:test123. Instead of -aes-128-cbc you can use other ciphers (e.g. -des3). If you omit the -pass argument you will be asked for a password.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out private_key.key

Generate a new private key and certificate

openssl req -x509 -newkey rsa:4096 -keyout private_key.key -out certificate.crt -sha256 -days 365

Generate a new private key and certificate signing request (CSR)

openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key -sha256

Generate a certificate signing request (CSR) for an existing private key

openssl req -out signing_request.csr -key private_key.key -new -sha256

Pass Subject and SubjectAlternativeName directly:

-subj "/C=DE/CN=example.tld" -addext "subjectAltName=DNS:example.tld,DNS:example2.tld,IP:127.0.0.1"

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key

Encrypt a (RSA) private key

openssl rsa -des3 -in unencrypted.key -out encrypted.key

Decrypt a (RSA) private key

openssl rsa -in encrypted.key -out decrypted.key

Checking commands

Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in signing_request.csr

Get information about a private key

openssl rsa -text -noout -in private_key.key

Check a private key

openssl rsa -check -in private_key.key

Check a certificate

openssl x509 -text -noout -in certificate.crt

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keystore.p12

Debugging commands

Compare md5 hashes of certificate, key and CSR

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private_key.key | openssl md5
openssl req -noout -modulus -in signing_request.csr | openssl md5

Check an SSL connection.

All certificates (including intermediates) should be displayed.

openssl s_client -connect gitea.forkmissile.de:443
Reference in New Issue View Git Blame Copy Permalink